On November 30, 2025 at around 21:11 UTC, an attacker exploited a minting vulnerability in Yearn Finance’s legacy yETH token contract. By creating approximately 235 trillion yETH tokens in a single transaction, the attacker was able to siphon off about $8 million from the primary stableswap pool and $0.9 million from the yETH-WETH pool on Curve, totaling near $9 million in losses. Funds equivalent to roughly 1,000 ETH were subsequently routed through the Tornado Cash mixer to obscure the trail.
Yearn Finance promptly confirmed the incident, clarifying that the exploit affected only the custom stable-swap implementation for legacy yETH and did not compromise the V2 or V3 Vault infrastructure, which collectively maintain a total value locked exceeding $600 million. The incident represented the latest security breach in Yearn’s protocol history, following previous exploits in 2021 and multisignature-related issues in 2023, and underscored ongoing challenges around safeguarding legacy code.
Blockchain analysis by security firms SEAL 911 and ChainSecurity indicated deployment of ephemeral helper contracts that self-destructed after execution, complicating forensic efforts. The attacker leveraged these contracts to inflate yETH supply and extract real assets without triggering standard mint-limit safeguards. On-chain alerts flagged the anomaly immediately, and Yearn’s governance community began discussions around restitution options shortly thereafter.
Following the exploit, the protocol’s native YFI token experienced a sudden price drop of approximately 5.5%, reflecting a decline in investor confidence and temporary reduction in protocol revenue projections. Trading volumes spiked as arbitrage bots and reactive traders capitalized on price dislocations, further accelerating volatility in Yearn-associated markets.
In response, Yearn Finance initiated a multi-pronged remediation plan, including a governance proposal to authorize a $3.2 million USDC Merkle airdrop to affected stakeholders, implementation of a v1.1 patch to enforce minting limits, and deployment of real-time monitoring tools across all stable-swap pools. A $500,000 bug bounty was also offered for related findings, with the objective of reinforcing code security and restoring user confidence.
The exploit served as a reminder of risks inherent in maintaining legacy DeFi contracts alongside evolving protocol standards. Protocol architects emphasized plans to deprecate legacy components in favor of audited, community-vetted alternatives, while highlighting the resilience of core vaults. Observers noted that infinite-mint vulnerabilities remained a critical attack vector in decentralized finance, prompting calls for standardized security frameworks and continuous third-party review.
Despite the breach, liquidity in Yearn’s V2 and V3 vaults remained intact, with no disruptions reported in user deposits or operations. Market participants monitored governance discussions and audit findings closely, assessing potential long-term implications for protocol tokenomics and the broader DeFi ecosystem. The incident underscored the importance of vigilant security practices and rapid incident response in safeguarding decentralized finance infrastructure.
Comments (0)